improves error messages for better error logging/troubleshooting

project-kessel · Oct 30, 2024 · c5f8afe · c5f8afe
1 parent b555b36
commit c5f8afe
Show file tree

Hide file tree

Showing 7 changed files with 24 additions and 17 deletions.
diff --git a/internal/authn/oidc/oidc.go b/internal/authn/oidc/oidc.go
@@ -62,11 +62,13 @@ func (o *OAuth2Authenticator) Authenticate(ctx context.Context, t transport.Tran
 	u := &Claims{}
 	err = tok.Claims(u)
 	if err != nil {
+		log.Errorf("failed to extract claims: %v", err)
 		return nil, api.Deny
 	}
 
 	if o.EnforceAudCheck {
 		if u.Audience != o.CompletedConfig.ClientId {
+			log.Debugf("aud does not match the requesting client-id -- decision DENY")
 			return nil, api.Deny
 		}
 	}

diff --git a/internal/authn/psk/config.go b/internal/authn/psk/config.go
@@ -2,10 +2,9 @@ package psk
 
 import (
 	"fmt"
+	"gopkg.in/yaml.v3"
 	"io"
 	"os"
-
-	"gopkg.in/yaml.v3"
 )
 
 type Config struct {
@@ -49,10 +48,10 @@ func (c *Config) loadPreSharedKeys() error {
 			data, err := io.ReadAll(file)
 			if err == nil {
 				if err := yaml.Unmarshal(data, &c.Keys); err != nil {
-					return err
+					return fmt.Errorf("failed to unmarshall preshared key: %v", err)
 				}
 			} else {
-				return err
+				return fmt.Errorf("failed to read preshared key file: %v", err)
 			}
 		} else {
 			return fmt.Errorf("Error opening preshared key file: %s [%s]", c.PreSharedKeyFile, err.Error())

diff --git a/internal/authz/kessel/kessel.go b/internal/authz/kessel/kessel.go
@@ -105,7 +105,7 @@ func (a *KesselAuthz) getCallOptions() ([]grpc.CallOption, error) {
 	if a.tokenClient.EnableOIDCAuth {
 		token, err := a.tokenClient.getToken()
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to request token: %v", err)
 		}
 		if a.tokenClient.Insecure {
 			opts = append(opts, WithInsecureBearerToken(token.AccessToken))

diff --git a/internal/authz/kessel/token.go b/internal/authz/kessel/token.go
@@ -5,13 +5,14 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"github.com/golang-jwt/jwt/v5"
-	"github.com/patrickmn/go-cache"
-	"google.golang.org/grpc"
 	"io"
 	"net/http"
 	"net/url"
 	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/patrickmn/go-cache"
+	"google.golang.org/grpc"
 )
 
 const (
@@ -111,21 +112,22 @@ func (a *tokenClient) getToken() (*TokenResponse, error) {
 	data.Set("grant_type", client_credentials_granttype)
 	req, err := http.NewRequest("POST", a.URL, bytes.NewBufferString(data.Encode()))
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to create token request: %v", err)
 	}
 
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Set("Accept", "application/json")
 
 	resp, err := client.Do(req)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("token request failed: %v", err)
 	}
 	defer resp.Body.Close()
 
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
-		return nil, err
+
+		return nil, fmt.Errorf("failed to parse token response: %v", err)
 	}
 
 	if resp.StatusCode != http.StatusOK {
@@ -134,7 +136,7 @@ func (a *tokenClient) getToken() (*TokenResponse, error) {
 
 	var tokenResponse TokenResponse
 	if err := json.Unmarshal(body, &tokenResponse); err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to unmarshal token response: %v", err)
 	}
 	a.cache.Set(cachedTokenKey, tokenResponse.AccessToken, cacheCleanupInterval)
 	return &tokenResponse, nil

diff --git a/internal/server/grpc/config.go b/internal/server/grpc/config.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"fmt"
 	"io"
 	"os"
 	"time"
@@ -45,7 +46,7 @@ func (c *Config) getTSLConfig() (*tls.Config, error) {
 		var err error
 		config.Certificates = make([]tls.Certificate, 1)
 		if config.Certificates[0], err = tls.LoadX509KeyPair(c.Options.ServingCertFile, c.Options.PrivateKeyFile); err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to load X509 key pair: %v", err)
 		}
 
 		if c.Options.CertOpt > int(tls.NoClientCert) && c.Options.ClientCAFile != "" {
@@ -55,7 +56,7 @@ func (c *Config) getTSLConfig() (*tls.Config, error) {
 					caCertPool = x509.NewCertPool()
 					caCertPool.AppendCertsFromPEM(caCert)
 				} else {
-					return nil, err
+					return nil, fmt.Errorf("failed to load CA certificate: %v", err)
 				}
 			}
 

diff --git a/internal/server/http/config.go b/internal/server/http/config.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"fmt"
 	"io"
 	"os"
 	"time"
@@ -45,7 +46,7 @@ func (c *Config) getTSLConfig() (*tls.Config, error) {
 		var err error
 		config.Certificates = make([]tls.Certificate, 1)
 		if config.Certificates[0], err = tls.LoadX509KeyPair(c.Options.ServingCertFile, c.Options.PrivateKeyFile); err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to load X509 key pair: %v", err)
 		}
 
 		if c.Options.CertOpt > int(tls.NoClientCert) && c.Options.ClientCAFile != "" {
@@ -55,7 +56,7 @@ func (c *Config) getTSLConfig() (*tls.Config, error) {
 					caCertPool = x509.NewCertPool()
 					caCertPool.AppendCertsFromPEM(caCert)
 				} else {
-					return nil, err
+					return nil, fmt.Errorf("failed to load CA certificate: %v", err)
 				}
 			}
 

diff --git a/internal/server/otel.go b/internal/server/otel.go
@@ -3,6 +3,8 @@ package server
 // Taken from Kratos examples: https://github.com/go-kratos/examples/blob/main/otel/internal/dep/otel.go
 
 import (
+	"fmt"
+
 	"github.com/go-kratos/kratos/v2/middleware/metrics"
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/exporters/prometheus"
@@ -19,7 +21,7 @@ func NewMeter(provider metric.MeterProvider) (metric.Meter, error) {
 func NewMeterProvider(s *Server) (metric.MeterProvider, error) {
 	exporter, err := prometheus.New()
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to setup exporter for meter provider: %v", err)
 	}
 
 	provider := sdkmetric.NewMeterProvider(